#1128835 ca-certificates: update-ca-certificates fails with LibreSSL (openssl rehash not available)

#1128835#5
Date:
2026-02-23 14:43:09 UTC
From:
To:
update-ca-certificates calls `openssl rehash` (sbin/update-ca-certificates,
line 192), but LibreSSL does not implement the `rehash` subcommand — it
provides `certhash` instead.

Because the script runs under `#!/bin/sh -e`, the failing `openssl rehash`
causes the script to exit immediately, before the CA bundle file
(ca-certificates.crt) is written.  This leaves /etc/ssl/certs in a broken
state: certificate symlinks may have been updated, but the bundle that many
applications depend on is never generated.

The attached patch detects LibreSSL at startup via `openssl version` output
and stores the appropriate subcommand in a shell variable ($REHASH_CMD).
The POSIX `case` construct is used to avoid introducing bashisms, since the
script uses `#!/bin/sh`.

The patch applies cleanly against current ca-certificates master
(ba3830faf6, "Upload to unstable").

Upstream LibreSSL issue:
   https://github.com/libressl/portable/issues/1136

#1128835#10
Date:
2026-02-23 15:16:41 UTC
From:
To:
Control: severity -1 wishlist
I'm not convinced this is something we want/need to support...

Cheers,
Julien